I'm having a similar issue with a new API I'm writing for a 7.15.3 site. As I understand it, inheriting from UmbracoAuthorizedApiController means you don't need to decorate the methods with [UmbracoAuthorize].
My problem is that I don't appear to be able to get authorisation with my request. All I get in return is {"Message":"Authorization has been denied for this request."} In Postman I'm adding an Authorization header of Type "Basic Auth" with a correct username and password for a backoffice user.
If I change the API to inherit from UmbracoApiController and change the route from /umbraco/backoffice/api/ to /umbraco/api/ it returns the expected JSON, so it's just the authorisation I'm having a problem with.
The API is called from other websites.
Relevant code here:
namespace MySite.Web.Controllers.ApiControllers.NewsAndEvents
{
public class NewsAndEventsApiController : UmbracoAuthorizedApiController
{
string siteAddress = HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Authority);
[HttpPost]
public ArticleListResponseModel GetArticleList (ArticleListRequestModel jsonRequest) {
ArticleListResponseModel returnArticleList = new ArticleListResponseModel();
.... More code....
}
}
}
Am I missing a trick somewhere? Any advice would be appreciated.
I'm not 100% sure you can authenticate the requests like that. I think you have to be logged into the back office first in order to make requests to controllers decorated with UmbracoAuthorizedApiController as it passes the authentication cookie along with the request. I seem to remember there is a setting in Postman to include your local cookies in requests you make.
I know this doesn't pertain to the original question. But I just googled how to setup Postman to be able to connect to UmbracoAuthorizeAPIController endpoints and this came up as the first hit.
Just wanted to share that if you copy the UMB_UCONTEXT cookie over to postman using the "Cookies" link in the top right hand side, then you can call backend endpoints. You can also sync your cookies as Simon mentions. This uses the "Interceptor" in postman and requires a Chrome extension to run. There is a very easy guide for that in the "Cookies" section in Postman
Thanks Simon, it appears I'm mis-architecting it then. What I'm looking for is to secure my UmbracoAPI endpoint so it can be used by only certain requestors. Ideally they'd be either Umbraco users or Members (I don't mind which) so the client can easily control them and assign new accounts as needed.
I suppose the question is, does Umbraco have such a facility, is there a package, or is time to roll one's own authentication system?
I am working on a v7 project at the moment that similarly needs to secure API endpoints and we have gone down the route of JWT. Warren Buckley has a project that might help point you in the right direction.
Failing authorisation when calling an UmbracoAuthorizedApiController
Ref: https://our.umbraco.com/forum/extending-umbraco-and-using-the-api/92375-best-way-to-authenticate-umbraco-api-request-as-back-office-user
I'm having a similar issue with a new API I'm writing for a 7.15.3 site. As I understand it, inheriting from UmbracoAuthorizedApiController means you don't need to decorate the methods with [UmbracoAuthorize].
My problem is that I don't appear to be able to get authorisation with my request. All I get in return is
{"Message":"Authorization has been denied for this request."}In Postman I'm adding an Authorization header of Type "Basic Auth" with a correct username and password for a backoffice user.If I change the API to inherit from UmbracoApiController and change the route from /umbraco/backoffice/api/ to /umbraco/api/ it returns the expected JSON, so it's just the authorisation I'm having a problem with.
The API is called from other websites.
Relevant code here:
Am I missing a trick somewhere? Any advice would be appreciated.
//Craig
I'm not 100% sure you can authenticate the requests like that. I think you have to be logged into the back office first in order to make requests to controllers decorated with
UmbracoAuthorizedApiControlleras it passes the authentication cookie along with the request. I seem to remember there is a setting in Postman to include your local cookies in requests you make.I know this doesn't pertain to the original question. But I just googled how to setup Postman to be able to connect to UmbracoAuthorizeAPIController endpoints and this came up as the first hit.
Just wanted to share that if you copy the UMB_UCONTEXT cookie over to postman using the "Cookies" link in the top right hand side, then you can call backend endpoints. You can also sync your cookies as Simon mentions. This uses the "Interceptor" in postman and requires a Chrome extension to run. There is a very easy guide for that in the "Cookies" section in Postman
Thanks Simon, it appears I'm mis-architecting it then. What I'm looking for is to secure my UmbracoAPI endpoint so it can be used by only certain requestors. Ideally they'd be either Umbraco users or Members (I don't mind which) so the client can easily control them and assign new accounts as needed.
I suppose the question is, does Umbraco have such a facility, is there a package, or is time to roll one's own authentication system?
Cheers,
// Craig
See here: https://our.umbraco.com/documentation/reference/routing/webapi/authorization
I am working on a v7 project at the moment that similarly needs to secure API endpoints and we have gone down the route of JWT. Warren Buckley has a project that might help point you in the right direction.
https://github.com/warrenbuckley/Umbraco-JWT-AuthTokens/
Hope that helps.
Simon
Thanks Simon, I'll take a look.
is working on a reply...